Cyber attack on Shirbit Insurance Company
First of all
This document has been written and updated until December 8, 2020 and refers to what is known about the cyber-attack on Shirbit insurance company, as of this point in time. Although this is a cyber-attack, this document will focus on the business, organizational and accountability angle of the company’s management. This responsibility is important and critical to understanding and managing the incident. It’s important to say, this is an event with a lot of technological failures and we will address them as well. Moreover it is important to note that the responsibility of the company’s management is also reflected in the regulatory “cyber risk management in institutional bodies” of the Capital Markets, Insurance and Savings Division, dated 31 August 2016.
This document analyzes the event in the Cyber Resilience perception. The document discusses the importance of assessments for properly dealing with the cyber-attack in the business aspect. In addition, the document deals with the importance of the existence of an organizational information security culture. The involvement of the company’s management contributes to addressing the challenge of reducing exposure to business cyber risks, leading to effective and rapidly dealing with the cyber-attack.
We will not underestimate — this is the most difficult cyber incident a business company has faced in Israel, however, it is highly likely that after analyzing the failures and decision-making the question arises as to whether the incident was caused by force majeure or could have been prevented.
Shirbit, an insurance company that operates mainly in the field of auto insurance, was established in 2000 and is owned by Yigal Rabnoff and employs 220 employees from its offices in Netanya.
The responsibility for the attack was taken almost immediately by a group of attackers named Black Shadow, and it began to disclose information from the company’s servers directly on its Telegram channel to prove seriousness.
It is important to note that despite attempts by some parties to determine on the first day of the attack that it was a ransomware attack, it was clear that this was not a financial motivation but an attack designed to expose extensive information about the country’s residents. When the ransom demand was send , the content and its schedules proved that it was only a game and that it was clear to the attackers that the demand along with the schedules was unrealistic. It was clear that the attackers were toying with the idea.
Shirbit has a cyber-insurance policy purchased through AON.
Schedules and events:
Communications with the Company’s Event Monitoring Service(SOC)have stopped
Actual event start, on company servers
30.11.20 (21:00PM )
Reporting to regulators
The incident was revealed in the media
- Incident Response team kicks in
- Website disabled
- Operates a call center only
IR team replaced by another IR team
3.12.20 (12:39AM )
Ransom demand distributed
Information distributed via telegram channel
- Expiration of the ultimatum and widespread information distribution
- The website returns in part, landing page and “questions-answers” page that attempts to provide information
Decision-making with technological questions is known to be the responsibility of the professional team. However, everyone knows that the costs of IT are very expensive. This almost always creates a clash between professional and business interests. It is the responsibility of the professional staff to explain to the company’s management the operational need and insist on its integration, under professional conditions. When this is not possible the professional manager must try to the point where the CEO of the company is decisive. At the end of the day, it’s his decision. In the concept of Cyber Resilience a steering committee is mandatory. The steering committee should include senior executives and it must hold a matter-of-fact discussion that hears all considerations — intra-organizational politics, pressures and hierarchical status. Eventually the steering committee will make the most appropriate decision.
Event Monitoring Technology Flaws — The Company used an Information Security Incident Monitoring Service (SOC) that provided service only during the work week, without weekends. Everyone knows that weekends and holidays, days when companies work with small teams, if any, are the ideal days for realizing attacks. We don’t known if the attack really began over a random weekend, but it’s a strange decision.
In addition, the service used in a limited way, allowing only monitoring capabilities, without the possibility of remote assistance and support operations. In such a situation the service has no added value at all and the decision to do so indicate the management’s choice was aiming only to show the regulator they did what he asked. Nothing more. Another allegation is known that the monitoring service had warned of an intrusion a few months earlier. The claim supports what we know about the operation profile of attackers in leaked-type attacks. Most of these attackers will have many weeks and months on the company’s servers before disclosing the information they obtained. It is estimated that in the current event the attackers spent at least 2–4 months on the organization’s servers.
Information Security Manager. According to the LinkedIn profile, the Information Security Officer (CISO) did not have the experience and professional background required for the job definitions (Android developer, after completing an information security course at Hackario College). CISO in an insurance company, as a first job, part-time — is this the right professional decision?
Any information security manager at an insurance company or knows that only responding to the regulator’s requirements requires two to three days a week. A position of this scale does not allow the exercise of information security and strategy.
Here’s proof of the damage caused by unwise financial savings. In addition, did the regulator know that this is how its regulation is treated?
The access vector. The attackers implemented access through a known security breach in Pulse VPN. It’s a solution that allows employees to connect from a remote workstation or via mobile device. In addition, it is known that the company has had a number of other software solutions and applications, including Windows that wasn’t patched as required. It is also known that the company acquired Forcepoint DLP software, but it was not installed properly. That’s why the attackers could have pulled a lot of information without setting a red flag.
Spokesperson and marketing. As soon as the event began, the company’s website was shut down and no online information could be obtained. This problem is likely indicative of the maintenance of the On Prem site. It took the company 5 days to upload a Q&A mini site. This document also proved that the company still doesn’t understand what a cyber-attack is, what is data breach means, what happened to them and what they’re required to do. The company even insisted on telling it was continuing to sell new policies.
On the first day of the attack, the company sent to the media and clients a very simplistic and even dismissive text message that did not conform to any acceptable standards.
Two days later, another message was sent. In addition, the company’s CEO was interviewed and instead of generating trust and making it clear that the company was dealing with the attack he reacted badly with confusion, misunderstanding. Actually his words were fraudulent. Seems like a very bad mistake.
· The website must be maintained separately from the main homepage.
· It is recommended to produce an alternative landing page on a third channel.
· It is recommended to produce a communication form with the company’s customers service that will at the very least enable feedback and provide customers with a sense of attention and communication.
· It is also recommended to produce a direct communication channel using a Twitter profile or Telegram channel and to keep it updated at least 3 times a day.
This cannot be expected to happen without thorough and preliminary, cross-functional assessments, knowing and understanding the uniqueness of cyber risk itself, even though “to me it won’t happen,” “I handled,” “it’s going to be okay” and “don’t overdo it, it’s an extreme scenario,” are familiar arguments.
Financial costs. We are now witnessing most of the risks and tackles a business company is exposed to as a result of a cyber-attack. It begins with dealing with the various regulators, through reputational damage, replacing equipment and infrastructure, huge costs of a crisis and more. These financial costs are damages in itself.
Instant money paid:
· IR (Incident Response) staff is worth $350 to $500, per hour of work. It’s usually a team of at least 3 people working a week or more around the clock.
· A forensics specialist will require an average of $500 and the time it will take him to work could take weeks and longer.
· A negotiating manager will charge $7,000 for the first day. On the second day the cost will be $4000 on the third day it will be less. Sometimes he will also charge a commission from the difference he managed to save.
· The cost of the company’s lawyers will already be required for answers in courts and to prepare the company’s position for regulators’ demands.
· Crisis manager cost an average of $40,000.
· Activating the cyber insurance policy, deductible — averaging $100,000.
Money to be paid in the future:
· Is there any way to assess what the fine will be from the regulator?
· Is there any way to estimate the cost of the reputation damage?
· How many advertising campaigns will it take and how much money will be spent on them?
· How many discounts will the company have to give, in order to attract customers?
· Do we know which class action the court will choose and how much it will sentence the company to pay at the end of the proceeding, in 3–5 years of legal hearings?
· Is it possible to estimate at the current point in time how much the construction of the technological, communication and infrastructure will cost?
Crisis Management. Unfortunately, this category cannot be addressed in matters, since all decision-making, style, schedules. All attest to the lack of a professional and experienced hand directing the company’s management in dealing with the current event.
Recommendation: Once again, we have received concrete proof of how a cyber-incident is conducted. This is no ordinary crisis. To deal well with a cyber-incident, you must use an expert in managing cyber events. The expert, who also wrote the cyber incident response procedure, knows all the consequences and actions required to take. The event manager must understand the technological language and business language to work together with the technical team, the communications team and the legal team.
Insights. We still don’t know if the attackers are Israelis or from a hostile country. However, their behavior profile is typical to countries such as Iran or Russia. We also know that they hold a great lot of information including access to the company’s servers and active directory (which provides information about everything that is done in the organization). It also seems that unlike familiar attack groups, this group’s motivation is not financial. When they demanded the ransom they knew they were asking for something irrational, not at the schedule level, not the possibility of execution and not the amount.
From the messages they post on their Telegram channel, they seem to be toying with a panic that receives media coverage and is troubled by the damage that could be caused to the country’s citizens. Further proof of their cynicism we received when they attached screenshots from the correspondence with the negotiating director.
As we know, cyber-attack is a function of when, not if. Therefore there is a lot of understanding and empathy for any company dealing with this kind of incident. However, the sequence of failures that led to such bad management of the incident and with it bad decision-making, indicate a lack of understanding and experience in dealing with cyber incidents. Their every decision over time was a mistake. They project smugness and detachment and it all led to an even bigger crisis. A good program of assessments takes into account triggers, mixed teams, status assessments and principled decisions that are used as anchors during event management. Shirbit didn’t have any plan, and that’s the difference between company that manage to deal properly and company that collapse.
In fairness, Shirbit is not alone in this event. As a company that has won a government tender, and not for the first time, the state is expected to ensure that the supplier is conducted in accordance with high standards. The National Cyber Directory also needs to explain how it allowed this to happen. In addition, an important question is asked about the responsibility of the insurance supervisor. How does it allow an insurance company to hire a part-time information security professional? Why doesn’t it enforce regulation? There are a lot of questions that require a primary home check mainly in the regulator’s understanding of what a cyber-attack is.
Without sarcasm — if there’s one thing all companies can learn from this event, it’s how different a cyber-attack is from everything that seems to be. The fact that there are risk management, compliance and auditing departments in every organization is not a guarantee of anything. Nor is the fact that there is binding regulation.
In supervised vision, it is advisable to start thinking about the cyber-attack through other eyes, from another angle that is not accustomed to it. Hackers, do not work according to NIST regulations, ISO etc.
So far, about four class-action lawsuits have been filed with the court.
· Establishes a professional steering committee, which includes various functionaries, which discusses the risk of business cyber and defines controls to reduce it.
· Receiving advice from a professional who is familiar with the concept of Cyber Resilience to accompany the process.
· Realization and implementation of what matters and not just a “mandatory minimum” of regulatory requirements and information security needs.
· Administrative controls on the implementation and implementation of information security policies.
· Adding dedicated controls according to the unique business cyber risk for each department.
· Management responsibility for implementing a cyber-attack assessment program — defining triggers, situation assessments, professional teams.
· Receiving advice on a variety of substantive scenarios in favor of proper conduct and reducing exposures to cyber-risks.
· Determination and implementation of a methodology involving representatives of business activities together with marketing, spokespersons, attorneys and public relations in the unique conception infrastructure of cyber event management.
· Creating an event portfolio tailored to a cyber-incident including locked messages in accordance with a possible escalation to a variety of stakeholders — communications, customers, social media, investors and more.
· Regulatory requirement for direct employment of the CISO, while meeting threshold conditions, at the very least seniority.
· Regulatory enforcement, immediately with failure detection.
The event is not over yet.
Einat Meyron is an expert C-level consultant. She accompanies managers and organizations through advanced assessments to attain more efficient and precise coping capacity in order to better handle the business impact of cyber events. The joint activity in the establishment of the assessments ensures effective identification of the enterprise-specific cyber risks and creates a dedicated playbook that includes accurate identification of triggers, threat vectors, response teams, order of operations, and a structured decision-making mechanism.
Einat serves as a mentor to managers and security principals who understand the challenges and business risks in both the cyber threat domain as well as the business domain, functioning as a liaison between organization’s executive management and the Chief Information Security Officer. Additionally, Einat has a seat at the INCOD’s roundtable. She also lectures in conferences, courses, and forums of the CPA Bureau, the Technology Association, ISACA, directors course, The Conference Association, the Haifa University, Cyber Club at the Interdisciplinary Center (IDC), Tel Aviv Yafo Academic College, Afeka School and more.